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(54) Network access control 

(57) An access control system for controlling access 
by wireless terminals to a wireless telecommunications 
network, the access control system comprising: a data- 
base storing the identities of a set of wireless terminals 
belonging to the telecommunications network; a config- 
urable store for storing a supplementary access value 
indicative of whether terminals that do not belong to the 
telecommunications network may access the network; 



and an access control unit for receiving an access re- 
quest message indicating the identity of a wireless ter- 
minal and in response to that message accessing the 
database and/or the store to permit access by the wire- 
less terminal to the wireless telecommunications net- 
work if: a. the identity of the wireless terminal is present 
in the database; or b. the supplementary access value 
indicates that terminals that do not belong to the tele- 
communications network may access the network 
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Description 

Field of the Invention 

[0001] The present invention relates to a company in- 
tranet and in particular to a method for dealing with vis- 
itors. 

Background of the Invention 

rrmnoi Prinr art nffirp-hPised rnmmijninations svs- 
tems usually operate conventional fixed-line telephone 
units linked via an internal switchboard or PBX (private 
branch exchange.) Such fixed-line systems are able to 
provide relatively high voice quality. However, user mo- 
bility is severely impaired. It is also known to connect a 
base unit for a cordless system such as DECT to the 
internal PBX. This allows users to use cordless hand- 
sets in the office, but the server handsets (unless they 
are equipped with a dual-mode capability) can not be 
used outside the local cordless coverage area. 
[0003] The improvement of digital cellular telephone 
technologies means that cellular telephone systems can 
now provide equivalent, if not higher, voice quality than 
fixed-line systems. Mobile systems also allow greater 
freedom of movement for the user within the office than 
do fixed-line systems. However, there can often be dif- 
ficulties in receiving cellular telephone signals in an of- 
fice. 

[0004] RCP (Rich Call Platform) is a proprietary com- 
munications system developed by the applicants which 
introduces the concept of utilising mobile telephone 
units, such as conventional GSM mobile stations, in an 
office environment. The system preferably makes use 
of a known concept called Internet Telephony or Voice- 
over-IP (Internet Protocol). 

[0005] Voice-over-IP is a technology which allows 
sound information to be transmitted over existing IP- 
based Local or Wide Area Networks or the Internet. In 
a similar way, data and video information can be encod- 
ed so as to be capable of transmission over the same 
networks. The technology thus provides for conver- 
gence and integration of three different media types 
over the same network. 

[0006] Prior to the advent of Voice -over- IP, offices of- 
ten operated three separate networks for the transmis- 
sion of these media types. As indicated above, fixed-line 
telephone systems coupled to an in-house PBX provid- 
ed for voice communication, an office-based LAN or In- 
tranet (i.e. a packet-switched internal network), normally 
comprising computer terminals linked via network cards 
and under the control of a server station, provided for 
the transmission of 'conventional" computer data, and 
video cameras linked to monitors via fixed line or remote 
transmission link provided for video communication. 
[0007] Voice-over-l P effectively combines these th ree 
media types such that they can be transmitted simulta- 
neously on the same packet -switched intranet network 



or IP-routed throughout the office environment and, us- 
ing an external network such as the internet, beyond the 
confines of the office. 

[0008] In order to provide for such media conver- 

s gence, Voice-over-IP often uses a specific ITU (Interna- 
tional Telecommunication Union) standard protocol to 
control the media flow over the Intranet. One common 
standard protocol used in Voice-over-IP systems, and 
the one used in the RCP system, is termed H.323. 

io [0009] H.323 is an ITU standard for multimedia com- 
munications (voice, video and data) and allows multi- 
media streaming over conventional packet-switched 
networks. The protocol provides for call control, multi- 
media management and bandwidth management for 

ts both point-to-point (2 end-users) and multipoint (3 or 
more end-users) conferences. H.323 also supports 
standard video and audio codecs (compression/decom- 
pression methods such as MPEG) and supports data 
sharing via the T. 1 20 standard. 

20 [0010] Furthermore, H.323 is network, platform and 
application independent allowing any H.323 compliant 
terminal to operate in conjunction with any other termi- 
nal. 

[0011] The H.323 standard defines the use of three 
2S further command and control protocols: 

a) H.245 for call control; 

b) Q.931 for call signalling; and 

30 

c) The RAS (Registrations, Admissions and Status) 
signalling function. 

[0012] The H.245 control channel is responsible for 
35 control messages governing the operation of the H.323 
terminal including capability exchanges, commands 
and indications. Q.931 is used to set up a connection 
between two terminals. RAS governs registration, ad- 
mission and bandwidth functions between endpoints 
40 and Mobile Telephone Server (defined later). 

[0013] For an H.323 based communication system, 
the standard defines four major components: 

1 . Terminal 

45 

2. Gateway 

3. Mobile Telephone Server 

50 4. Multipoint Control Unit (MCU) 

[0014] Terminals are the user end-points on the net- 
work, e.g. a telephone orfax unitoracomputerterminal. 
All H.323 compliant terminals must support voice com- 
55 munications, but video and data support is optional. 
[0015] Gateways connect H.323 networks to other 
networks or protocols. For an entirely internal commu- 
nications network i.e. with no external call facility, gate- 
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ways are not required. 

[0016] Mobile Telephone Servers are the control cen- 
tre of the Voice-over-IP network. It is under the control 
of a Mobile Telephone Server that most transactions 
(communication between two terminals) are estab- 
lished. Primary functions of the Mobile Telephone Serv- 
er are address translation, bandwidth management and 
call control to limit the number of simultaneous H.323 
connections and the total bandwidth used by those con- 
nections. An H.323 "zone" is defined as the collection 
of all terminals, gateways and multipoint-control units 
(MCU - defined below) which are managed by a single 
Mobile Telephone Server. 

[0017] Multipoint Control Units (MCU) support com- 
munications between three or more terminals. The MCU 
comprises a multipoint controller (MC) which performs 
H.245 negotiations between all terminals to determine 
common audio and video processing capabilities, and 
a multipoint processor (MP) which routes audio, video 
and data streams between terminals. 
[0018] The conventional Voice-over- IP system de- 
scribed herein above normally utilises standard fixed- 
line telephone systems which are subject to the disad- 
vantages outlined above, namely the lack of mobility 
and the lack of user commands. 

[0019] The RCP concept takes Voice-over-IP further 
in that it provides for the use of conventional mobile tel- 
ephone units, such as GSM mobile stations, within the 
Voice-over-IP system. To provide for such mobile com- 
munications within an intra-office communication net- 
work, RCP combines known Voice-over-IP, as de- 
scribed above, with conventional GSM-based mobile 
systems. 

[0020] GSM base stations are provided to give cover- 
age within the office, and are connected to the compa- 
ny's intranet. Intra-office calls to or from cellular tele- 
phones in the office are routed through the office intranet 
and extra-office calls are routed conventionally through 
the GSM network. Such a system provides most or all 
of the features supported by the mobile station and the 
network such as telephone directories, short messag- 
ing, multiparty services : data calls, call barring, call for- 
warding etc. RCP, therefore, provides for integrated 
voice, video and data communications by interfacing an 
H.323-based voice-over-IP network with a GSM mobile 
network. 

[0021] The RCP system is a cellular network, similar 
to the conventional GSM network and is divided into H. 
323 Zones as described above. One H.323 Zone may 
comprise a number of cells. Two or more H.323 zones 
may be contained within an administrative domain. The 
allocation of H.323 zones to an administrative domain 
is an issue primarily concerning billing and is therefore 
not relevant to this invention. 

[0022] A company RCP may be physically located in 
two or more separate office sites. These sites may re- 
side in two different countries in areas managed by two 
or more different GSM operators They may also reside 



in different regions of a country, in which two different 
GSM operators would be competing for customers. 
[0023] It would be desirable to provide a method of 
allowing subscribers to use the interna! site network 
when visiting different sites belonging to the same com- 
pany and to make calls from their own site to other com- 
pany sites which are routed over the company RCP sys- 
tem, and without being routed outside the company's 
own network. 

[0024] It would be desirable to have a method for con- 
trolling access to the RCP network (or another like net- 
work), that would be configurable to allow or disallow 
visitors to use the network for signalling and calls out- 
side the RCP system at any particular time. 

Statement of the Invention 

[0025] According to one aspect of the present inven- 
tion, there is provided an access control system for con- 
trolling access by wireless terminals to a wireless tele- 
communications network, the access control system 
comprising: a database storing the identities of a set of 
wireless terminals belonging to the telecommunications 
network; a configurable store for storing a supplemen- 
tary access value indicative of whether terminals that do 
not belong to the telecommunications network may ac- 
cess the network; and an access control unit for receiv- 
ing an access request message indicating the identity 
of a wireless terminal and in response to that message 
accessing the database and/or the store to permit ac- 
cess to the wireless telecommunications network by the 
wireless terminal if: 

a. the identity of the wireless terminal is present in 
the database; or 

b. the supplementary access value indicates that 
terminals that do not belong to the telecommunica- 
tions network may access the network. 

[0026] According to a second aspect of the present 
invention there is provided a method for controlling ac- 
cess by wireless terminals to a wireless telecommuni- 
cations network having a database storing the identities 
of a set of wireless terminals belonging to the telecom- 
munications network and a configurable store for storing 
a supplementary access value indicative of whether ter- 
minals that do not belong to the telecommunications 
network may access the network; the method compris- 
ing: receiving an access request message indicating the 
identity of a wireless terminal; accessing the database 
to determine whether the identity of the wireless terminal 
is present in the database and/or accessing the supple- 
mentary access value to determine whether it indicates 
that terminals that do not belong to the telecommunica- 
tions network may access the network; and if: 

a. the identity of the wireless terminal is present in 
the database; or 
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b. the supplementary access value indicates that 
terminals that do not belong to the telecommunica- 
tions network may access the network; transmitting 
a message to permit the wireless terminal access 
to the wireless telecommunications network. 

[0027] The access control unit may suitably be con- 
figured to permit or deny access to the network by 
means of transmitting a permission or denial message. 
That message may, for example, be transmitted to the 
terminal itself or to another network. That other network 
may be a network which the terminal currently is permit- 
ted to access. 

[0028] The access request message may be a loca- 
tion update request. The access control unit suitably re- 
plies to such a location update request by transmitting 
a location update response. Where access is to be de- 
nied the message may be a location update reject mes- 
sage, preferably (where this is provided for) with a value 
indicative of location access not being allowed. 
[0029] If: 

a. the identity of the wireless terminal is not present 
in the database; and 

b. the supplementary access value indicates that 
terminals that do not belong to the telecommunica- 
tions network may not access the said network; 
then the access control unit suitably denies access 
by the terminal to the network. 

[0030] One or other or both of the networks may be 
operable according to the GSM standard or a derivative 
thereof. The said network is suitably a localised network, 
preferably one em p toying an intranet or other packet- 
based communications system for at least some traffic 
communications. The said network is suitably under the 
control of an operator of the other network. One or both 
of the networks may be cellular telephone systems. The 
said identities may be provided as any suitable identifier. 
!n a GSM system, or in certain other systems derived 
from the GSM standard , the identities may be IMSIs. In 
other networks the equivalent level of identification is 
preferably used. 

[0031] The wireless telecommunications network 
could be a data network. 

[0032] The access control unit need not be the only 
unit that has control over access to the said network. 
The access control unit could itself be under the control 
of another unit (e.g. a unit at the other network) or could 
share control with such a unit. 

Brief Description of the Drawings 

[0033] The present invention will now be described by 
way of example with reference to the accompanying 
drawings, in which: 

Figure 1 shows schematically components of the in- 



tranet and external internet and mobile telecommu- 
nications system which are related to the present 
invention. 

Figure 2 is a flowchart indicating the method of op- 
s eration of the system. 

Description Of The Preferred Embodiment 

[0034] Figure 1 shows schematically some compo- 

io nents of an office intranet and an external internet and 
mobile telecommunications system. The office intranet 
area is indicated generally by i ana tne external internet 
and mobile telecommunications system area is indicat- 
ed generally by 2. 

is [0035] The relevant components of the intranet sys- 
tem 1 as shown are a Base Transceiver Station (BTS) 
3, an Intranet Mobile Cluster (IMC) 4, a RCP Mobile Tel- 
ephone Server (MTS) 5, an Intranet Location Register 
(ILR) database 6 and an A-lntranet Gateway 7. These 

20 components are connected over a wireless Local Area 
Network (LAN), forming the "office network" 1 . 
[0036] The relevant components of the internet and 
mobile telecommunications system 2 as shown are a 
Visitor Location Register (VLR) 8, an integrated Home 

25 Location Register, Authentication Centre and Equip- 
ment Identity Register (HLR/AC/EIR) 9, a Mobile 
Switching Centre (MSC) 10, a Transcoder and Subrate 
Channel Multiplexer (TSCM) 1 1 , a Base Station Control- 
ler (BSC) 1 2 and BTSs 1 3. Together these components 

30 form the "operator network" 2. The VLR and the HLR 
and other registers could be integrated as part of the 
MSC. In this example the wireless telephone service is 
a GSM service, but the service could be provided by oth- 
er communications systems. 

35 [0037] The BTS 3 is equivalent to the BTSs 1 3 in the 
GSM operator network and its purpose is to receive and 
transmit signals to and from mobile phones and to inter- 
face with the IMC. The IMC is equivalent to a Base Sta- 
tion Controller in a standard GSM network. Its functions 

40 include detection of the possible need for handover, 
generation of speech and data frames, configuration of 
the BTS, control of interfacing with the MTS including 
status enquiry and establishing calls to/from the BTS. 
The MTS is responsible for controlling access to the in- 

45 tranet, by using information obtained from the ILR, as 
will be described in more detail below. The ILR is man- 
aged by the home GSM network operator and resides 
in the home GSM operator premises. It has access to 
two GSM registers via a MAP interface, namely the HLR 

so 9 and VLR 8. The HLR and VLR hold all the location 
information of all subscribers. The HLR is a database 
which contains all the data concerning the access ca- 
pabilities of subscribers of the site with which it is asso- 
ciated, and services to which they are entitled. Also the 

55 HLR provides MSCs associated with other sites with 
similar information to allow the subscriber to receive 
calls whilst visiting another site which is part of the same 
intranet. The Equipment Identity Register within an Au- 
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thentication Centre allows interrogation of the HLR for 
verifying whether a user is listed in the HLR. The VLR 
stores subscriber information for all mobile phones 
which enter its area of coverage, which allows the MSC 
to set up calls to and from such phones. When a mobile 
phone enters its area, the subscriber data is interrogat- 
ed and can be added to the VLR, so the VLR would con- 
tain the address of the subscriber's HLR. 
[0038] The office and operator networks 1 ,2 are con- 
nected by three interfaces : 

A-interface at the Intranet Gateway 7 of office net- 
work 1 to the TCSM 11 - this is a GSM-specified 
gateway which controls operation, maintenance 
and transcoder functions and is the route used for 
speech. The TCSM is a further interface which in- 
terfaces with the MSC 1 0. 

Pulse Code Modulation (PCM) providing a physical 
connection between the ILR 6 and the MSC 1 0 - for 
data and signalling 

Mobile Application Part (MAP) interface protocol 
between the ILR 6 and the MSC 10 - for data and 
signalling 

[0039] In a typical office environment having an inter- 
nal intranet, company members and a variable number 
of visitors, all carrying GSM mobile phones 14 will enter 
the geographical area of the intranet 1 . If they are in the 
middle of a call, their phone will continue to send and 
receive signals via the external BTS to which it is already 
connected, thus using the external network as normal. 
At the end of the call, or if they enter the intranet area 
whilst not in the middle of a call, their phone will auto- 
matically try to attach to the BTS 3, since this would be 
the closest one. 

[0040] This attempt to attach is called a Location Up- 
date (LU) request. The intranet BTS 3 is similar to nor- 
mal external BTSs, hence mobile phones will try to at- 
tach to it as they would any BTS which comes into ge- 
ographical proximity. 

[0041] The method of operation of the system is 
shown in figure 2. 

[0042] Upon receiving an LU , the BTS 3 sends the sig- 
nal to the IMC 4. When the IMC 4 receives the signal, it 
accesses the MTS for information as to whether the user 
is to be allowed to access the network. The MTS checks 
the ILR database 6. This ILR contains a list of all the 
company members' IMSIs : or has other identifier infor- 
mation such as phone numbers that allow members be- 
longing tot he company network to be identified. This 
identifier is preferably the same as is used in the LU re- 
quest message, to allow matching to be done easily. The 
ILR sends a signal back to the MTS indicating whether 
the LU request is from a company member or a visitor 
[0043] If the signal received back by the MTS indi- 
cates that the LU is from a company member it informs 
the IMC as such and the IMC then allows the phone to 
attach to the BTS 3. This means that internal calls be- 



tween two employees are routed from the first employee 
to a BTS 3, to the IMC 4, to the MTS 5 and to the second 
employee via the BTS 3. External calls from an employ- 
ee to any phone outside the intranet are routed via BTS 

s 3, to the I MC 4, to the MTS 5 and to the A-lntranet Gate- 
way 7, where they are transferred over the A-interface 
to the TCSM 1 1 . From here they are sent to the MSC 
and then forwarded to the BSC 1 2 and to a BTS 1 3, from 
where the phone can receive them. 

io [0044] If the signal received back by the MTS indi- 
cates that the LU is from a visitor, the MTS makes a de- 
cision as to whether to allow the visitor to access the 
intranet. This is possible because it can be configured 
in two ways by use of a single parameter. The parameter 

is can be set by the company IT department, to allow or 
reject the LU request. The advantage of this process is 
that the IT department can decide at any particular time 
whether or not to allow visitors access to the intranet. 
This could be important at busy periods during which 

20 visitors cause considerable extra load on the system. 
Thus a high service quality can be maintained at all 
times for company members. The GSM operator may 
also have the ability to set the parameter, to allow load 
on the external GSM network to be relieved by the RCP 

25 network. 

[0045] If the parameter is set so as not to allow visitors 
access to the intranet, the MTS sends an appropriate 
signal to the IMC which then prevents the BTS 3 from 
allowing the phone to attach to it. The phone will remain 

30 attached to or search for the nearest external BTS. This 
can be done using standard GSM codes. 
[0046] If the parameter is set so as to allow visitors 
access to the intranet, the MTS sends a different signal 
to the IMC which allows the BTS to attach to the phone. 

35 The visitor's calls are then routed through the LAN and 
out to the external system. The facility for direct access 
to other phones within the intranet would not be availa- 
ble to visitors. Nevertheless, the fact that their calls are 
routed through the intranet would improve the quality of 

40 reception for the visitor. 

[0047] The parameter does not indicate the ability of 
specific users to access the intranet. Specific additional 
users can be allowed access by making additions to the 
database of members. In a GSM-based system the lo- 

45 cation update request is not a prerequisite to the making 
of a handover from one base station to another. Thus 
the system as described above would not, in such a 
GSM-based system, deny access to the intranet to ter- 
minals that requested handovers into the RCP system. 

50 Such handovers may be tolerated, or could be blocked 
(at least to non-member terminals) by other means as- 
sociated with the handover procedure. 
[0048] It is possible that the company intranet would 
be owned by the external operator and leased by the 

ss company. The system would then operate in a similar 
manner except the ILR would communicate via the PCM 
interface through the MSC 10 to the VLR 8 and the HLR 
AC EIR 9 owned by the operator. This means, for exam- 



5 



DC ID: <EP 1073294A1 J_> 



9 



EP 1 073 294 A1 



10 



pie, that the ILR would be interrogated to determine 
whether an LU request was from a RCP member or not. 
Furthermore the VLR 8 could be used to list visitors who 
were temporarily using the office network 1 . 



Claims 

1. An access control system for controlling access by 
wireless terminals to a wireless telecommunica- 
tions network, the access control system compris- 
ing: 

a database storing the identities of a set of wire- 
less terminals belonging to the telecommunica- 
tions network; 

a configurable store for storing a supplementa- 
ry access value indicative of whether terminals 
that do not belong to the telecommunications 
network may access Ihe network; and 
an access control unit for receiving an access 
request message indicating the identity of a 
wireless terminal and in response to that mes- 
sage accessing the database and/or the store 
to permit access by the wireless terminal to the 
wireless telecommunications network if: 

a. the identity of the wireless terminal is 
present in the database; or 

b. the supplementary access value indi- 
cates that terminals that do not belong to 
the telecommunications network may ac- 
cess the network. 

2. An access control system as claimed in claim 1 , 
wherein the access control unit is configured to, in 
order to permit access to the said network, send a 
reply to the access request message indicating that 
access to the said network is permitted. 

3. An access control system as claimed in claim 2, 
wherein the access control unit is configured to, if: 

a. the identity of the wireless terminal is not 
present in the database: and 

b. the supplementary access value indicates 
that terminals that do not belong to the telecom- 
munications network may not access the said 
network; send a reply to the access request 
message indicating that access to the said net- 
work is not permitted. 

4. An access control system according to any preced- 
ing claim, wherein the said network is operable ac- 
cording to the GSM standard or a derivative thereof. 

5. An access control system according to any preced- 
ing claim, wherein the other wireless telecommuni- 



cations network is operable according to the GSM 
standard or a derivative thereof. 

6. An access control system according to claim 4 or 5, 
s as dependant directly or indirectly on claim 3, 

wherein the said message to the other wireless tel- 
ecommunications network indicating that access to 
the said network is not permitted is a location up- 
date reject message with location access not al- 
io lowed. 

7. An access control system as claimed in any preced- 
ing claim, wherein the said access is a location up- 
date access. 

75 

8. An access control system as claimed in any preced- 
ing claim, wherein the said identities of wireless ter- 
minals are IMSIs. 

20 9. An access control system as claimed in any preced- 
ing claim, wherein the said telecommunications net- 
work is a cellular telephone system. 

10. A method for controlling access by wireless termi- 
25 nals to a wireless telecommunications network hav- 

ing a database storing the identities of a set of wire- 
less terminals belonging to the telecommunications 
network and a configurable store for storing a sup- 
plementary access value indicative of whether ter- 
30 minals that do not belong to the telecommunica- 

tions network may access the network; the method 
comprising: 

receiving an access request message indicat- 
es jng the identity of a wireless terminal; 

accessing the database to determine whether 
the identity of the wireless terminal is present 
in the database and/or accessing the supple- 
mentary access value to determine whether it 
40 indicates that terminals that do not belong to 

the telecommunications network may access 
the network; and 

if the identity of the wireless terminal is present 
in the database, or the supplementary access 
45 value indicates that terminals that do not be- 

long to the telecommunications network may 
access the network, transmitting a message to 
permit the wireless terminal access to the wire- 
less telecommunications network. 

so 
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